CVE-2026-35044 HIGH

CVE-2026-35044: BentoML has a Server-Side Template Injection via unsandboxed Jinja2 Environment in Dockerfile generation

Vendor Bentoml
Product BentoML
Weakness CWE-1336
Published April 6, 2026
Last update April 6, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the Dockerfile generation function generate_containerfile() in src/bentoml/_internal/container/generate.py uses an unsandboxed jinja2.Environment with the jinja2.ext.do extension to render user-provided dockerfile_template files. When a victim imports a malicious bento archive and runs bentoml containerize, attacker-controlled Jinja2 template code executes arbitrary Python directly on the host machine, bypassing all container isolation. This vulnerability is fixed in 1.4.38.

Key dates

02Disclosure timeline

April 6, 2026 CVE published
April 6, 2026 Record updated